I have a virtual switch with 2 nics. I have 4 vm's hanging off this vswitch. I am about to put a 4th VM on the switch but this vm needs to vnics 1 nic going to LAN and the other NIC going to DMZ. Any articles or best practices?
This vnic that is in the DMZ is going to be on its own seperate network. Does this need its own pnic?
Yes, unless you are using VLAN and VST, you will need a new vswitch+pNIC and a second vNIC in the VM.
--Matt
I can create a vlan for this dmz'd network. What is VST?
If I do use the same vswitch how can I make the pnic in a seperate vlan?
So If I do not use the vlan I would have to "waste" 2 pnics for redundancy on a 1 vm running in a dmz?
Hi,
You have two options:
1. Create a new vswitch and move a pnic to that vswitch and connect it to your physical switch
2. Make your DMZ as a vlan and create portgroups on your vswitch. One for the DMZ and one for the "Internal" network. This way you can keep redundancy on the pNics.
Best regards
Frank Brix Pedersen
Hi,
1-Either have the VM on a seperate vSwitch and uplinked to a pNIC (or two). These interfaces will then need to be connected to a physical switch that is used for DMZ connectivity
OR
2-Use Virtual Switch Tagging (VST) on the vSwitch and set up port groups (assuming you knwo the VLAN id's if each network). You will also need to configure trunk ports on the physical switch (801.1q) and trunk your VLANS.
Hope that helps
gd
I would not consider 2 nics for your Virtual DMZ a waste, it would increase the security of the environment.
If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points
Tom Howarth
VMware Communities User Moderator
Blog: www.planetvm.net
Hello,
Moved to Security and Compliance forum.
Please read through http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf as well as http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf to understand how vSwitches fit into your security.
You should assign minimally 2 pNICs to your DMZ that are not part of any other security zone. Note, VLANs do NOT offer security, so use of them as a security tool is not recommended, many people do use this but what happens when you leave the virtual network. Those same attacks the vSwitch prevents can still possibly happen within the physical layer. But that is another subject.
DMZ vSwitch should be segregated from all other vSwitch and portgroup traffic. So segregated DMZ only pNIC and pSwitches are the recommended way. This is an ongoing discussion within the Security and Complaince forum. You may also wish to peruse some of the threads on this subject.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll
Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links